Xen project Mailing List

Re: [Xen-devel] [PATCH] vpci: don't allow access to devices not assigned to the domain

To: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>

From: "Tian, Kevin" <kevin.tian@xxxxxxxxx>

Date: Wed, 4 Sep 2019 06:35:08 +0000

Accept-language: en-US

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, TimDeegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 04 Sep 2019 06:35:46 +0000

Dlp-product: dlpe-windows

Dlp-reaction: no-action

Dlp-version: 11.0.400.15

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHVYYW51cKc1tez00yZc0xuRwbw36cbEPyw

Thread-topic: [PATCH] vpci: don't allow access to devices not assigned to the domain

> From: Jan Beulich [mailto:jbeulich@xxxxxxxx] > Sent: Monday, September 2, 2019 7:58 PM > > On 02.09.2019 13:30, Roger Pau Monne wrote: > > Don't allow the hardware domain to access the PCI config space of > > devices not assigned to it. Ie: the config space of iommu devices > > in use by Xen should not be accessible to the hardware domain. > > Well, I agree with what you say above, but the code change disallows > much more than this. In particular Dom0 (and maybe stub domains too) > need to be able to access the config space of devices assigned to > guests, e.g. for qemu to control MSI and/or MSI-X. > > > --- a/xen/drivers/vpci/vpci.c > > +++ b/xen/drivers/vpci/vpci.c > > @@ -319,7 +319,21 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int > reg, unsigned int size) > > /* Find the PCI dev matching the address. */ > > pdev = pci_get_pdev_by_domain(d, sbdf.seg, sbdf.bus, sbdf.devfn); > > if ( !pdev ) > > + { > > + pcidevs_lock(); > > + pdev = pci_get_pdev(sbdf.seg, sbdf.bus, sbdf.devfn); > > + pcidevs_unlock(); > > The locking here points out a pre-existing issue: While > pci_get_pdev_by_domain() doesn't check that the pcidevs lock is > being held, it really should. It not doing so is (I guess) because > VT-d code too looks to be violating this. Kevin - thoughts? > It's used by addr_to_dma_page_maddr, while the latter is used in many code paths. Some of them already holds the lock while others don't. Instead of introducing trickiness in those paths, I think this may be fixed in an easier way - just removing the invocation of pci_get_pdev_by_domain. The only purpose of current usage is to find the related DRHD, and then do NUMA- aware page table allocation. It's needless to repeat finding DRHD here. We can just record it when assign_device happens. Let's tweak a fix for it. Thanks Kevin _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.